OSINT

Useful sites and tools for an Investigation

OSINT

Lets say that we are investigating a company as a part of an assessment, during this recon process we must use anything available on internet (Surface Web, DeepWeb or DarkWeb). This includes free tools and sites, but also if you can/want use paid services, is up to you. Just remember, we are to good guys, so don’t cross the line.

But don’t worry, we are smart enough and we know how to perform and intelligence analysis ¿ok?

When I investigate a company with no previous information provided by them, I usually begin with the Domain and web services. You will probably know the organization’s name, domain and/or at least one email account. If not, you can start with Google/ DuckDuckGo 🙂

With this simple piece of information we can start scanning the domain, looking for anything useful like registered IP addresses, open ports, outdated protocols or vulnerable technologies :

https://whois.domaintools.com/
https://www.shodan.io/
https://centralops.net/co/DomainDossier.aspx

We could also use tools like Nmap or Rustscan to validate around the same information, but FYI: this kind of tool might raise alerts on the IDS/Firewalls and/or perimeter security tools. Anyway…you can install them easily on Windows, Linux, etc systems:

https://nmap.org/download.html
https://github.com/RustScan/RustScan/releases/tag/2.1.0

If we go one step further, we can use vulnerability scanners like Nessus from Tenable or you can choose an open-source tool like Nikto, which is a web server scanner. Even if they’re oriented to Pentesting or Vulnerability Assessments, they can also be used during the Recon phase to obtain information on the target’s vulnerabilities. As a especial mention, you can add to your browser (Firefox) this amazing extension called Wappalyzer which basically can detect most of the technologies used on a website. Going back to the recon idea, what better tool to be mentioned than Recon-ng:

https://github.com/sullo/nikto
https://www.tenable.com/downloads/nessus?loginAttempted=true
https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
https://github.com/lanmaster53/recon-ng

And let’s not forget those sites that could put some light on old incidents or linked/related threats to an organization, Virustotal and JoeSandbox:

https://www.virustotal.com/gui/home/upload
https://www.joesandbox.com/

Lets say we want to start digging into available email accounts for domain users, along with the names they belong to, also maybe even some aliases for different sites. Here I introduce TheHarvester and Sherlock, two open source tools that conducts search-and-gathering through all kind of social networks and search engines:

https://github.com/laramies/theHarvester
https://github.com/sherlock-project/sherlock

When we try to analyze the email accounts that we were able to gather, we would find quite a good list of sites that will provide us with very useful information. Simple Email Reputation website can analyze the records for the account’s domain, the blacklist state, along with possible password breaches. Talking about leaks, here we can use another very simple and useful site called ‘;–have i been pwned?, which basically tells you on which known leak shown up the account. On the same line, you can use a paid resource like DeHashed which will tell you not only if it was leaked or when, but also the extracted passwords and hashes. Another site where sometimes we can find information is the most known pasting site: Pastebin.

https://emailrep.io/
https://haveibeenpwned.com/
https://www.dehashed.com/
https://pastebin.com/

Lets put something stronger in your plate: Maltego is an intelligence tool used to conduct open source investigations and centralize the information gathering trough different sources (both free and paid versions are available). This tool is a little bit more complex than the ones we already mentioned, but it worthwhile the learning process. You need to create a free account at the Maltego website and once you have downloaded it, you must login to use it. You need to configure the “Transforms” that integrate different platforms. Some of them are paid, and others are free, but in any case, you will need to create an account to connect with your private API (E.g. SHODAN, AlienVault, VirusTotal, etc.):

https://www.maltego.com/downloads/

Lets continue in the same line of thought, now, the next tool is a bless for the ones we like to analyze metadata. FOCA Pentest is a metadata gathering tool that allows you to search for around 20 different type of extensions (you can customize this). After you found them, you will be able to download them in a directory, extract the metadata and even analyze them for possible infection.

https://github.com/ElevenPaths/FOCA

Now, let’s imagine that among the information that you recollected, you got with some PCI/USB device information. Here’s a very awesome site that will let you ‘hunt‘ any possible intel about the device: DeviceHunt. Now, if you find a different type of information like possible SSIDs, Wi-Fi names, and/or any network information, you should definitely check WIGLE:

https://devicehunt.com/
https://wigle.net/

A quick tip and trick, very useful when we need to find something, someplace or someone through a photograph is to reverse search through images with search engines. We can Use Google Images, Yandex or another great website Tineye:

https://www.google.com/imghp
https://yandex.com/images/
https://tineye.com/

The last ones for today, since we could continue for a while. If we collected personal information and around this we get Twitter accounts, we can use a geolocation website called BirdHunt to try to find the location of the account’s owner. Continuing with Twitter, we can monitor it’s activities and perform tag/hashtag searches using another great website: TweetDeck. As a last mention, another geolocation tool, but this time for YouTube accounts is the website YouTube Geofind:

https://birdhunt.co/
https://tweetdeck.twitter.com/
https://mattw.io/youtube-geofind/location

That’s it for today, I will probably do a second part for this, especially because I left out all the DarkWeb stuff. The reason for that is that we need to take extra precautions around it, so you should not just go on your own visiting DarkWeb sites. Next time!

Standard
OSINT

OSINT: TryHackMe Sakura Room

INTRODUCTION

The room begins with a quick plot to get us into this investigation world..

->1 Let’s Go!

TIP-OFF

We open the image left by the attacker and using the element Inspect of our browsers we can see on the image path a Username, here:

That would give us or Answer: SakuraSnowAngelAiko

RECONNAISSANCE

Here I decided to start googling the Username to see what can we find:

The first 2 things we see here is a Github account and in second place, a possible Linkdin account related to this name.

Here I began checking the repository that contains the public key and tried to find a site to crack/recover anything from it. After some failed attempts, I found this site:

Answer: SakuraSnowAngel83@protonmail.com

Now digging a little bit found other interesting stuff on GitHub, but didn’t lead me to her name, so I decided to check the name from the Linkedin account:

Tested and It worked! our Answer for the second question is: Aiko Abe

UNVEIL

Remember that interesting thing I said before about Github? well, this is it. If you go to:

Check the “History” and select the oldest, you should see the following:

Here’s what it seems to be a cryptowallet. I checked this with a couple sites that gave me some info, but finally the most useful was:

https://etherchain.org/

The first answer as soon as you check this address anywhere is: Ethereum

The second answer is the one we already found at GitHub: 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef

Now on the Etherchain site, after you search for the wallet and see the transactions, you should see the answers to questions 3 and 4 almost at the same place:

Answer 3, for the mining pool of this transaction: Ethermine

And then Answer 4, the other cryptocurrency that the attacker exchanged: Tether

TAUNT

Here, not much of an effort:

Answer: SakuraLoverAiko

Now, this one got me for a while thinking:

Googling a little bit the Keywords DEEP, PASTE and Pasted I got a DarkWeb site called “Deep Paste” or “depasted“. You will need to access using a TOR browser to:

http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74 (Which is our Answer 2)

Here you need to search the MD5 of the previous picture and you will get different Wi-Fi information, the one that we need is Home.

Using the WI-FI name obtained on the well known site Wigle, on Advanced Search (Requires from you to sign in) we get:

Our Answer 3 is listed right there: 84:af:ec:34:fc:f8

HOMEBOUND

The last task…here we go!

Lets check the photos shared on twitter:

looking for the closest airport in google gave me:

And it’s also our first Answer: DCA

Looking at the other tweets, we saw this one:

Once again, googling this:

Actually here I tested both, and it was Haneda. Our Answer is the short version: HND

For the last two I decided to jump first to the last question, using the BSSID obtained from the previous section, we can see on the same Wigle site that the location is Hirosaki

So checking Japan’s map, going from Haneda to Hirosaki you can easily find the lake of the picture:

The Answer 3 is: Lake Inawashiro

And as we already found out a minute ago, the Answer 4 (and last one) is: Hirosaki

I hope you have enjoyed this room as much as I did. Thank you for reading my walkthrough!

Standard